session_start
From; https://www.php.net/manual/en/function.session-start.php
session_start
(PHP 4, PHP 5, PHP 7, PHP 8)
session_start — Start new or resume existing session
Description
session_start(array $options = []): bool
session_start() creates a session or resumes the current one based on a
session identifier passed via a get or post request, or passed via a
cookie.
When session_start() is called or when a session auto starts, PHP will call
the open and read session save handlers. These will either be a built-in
save handler provided by default or by PHP extensions (such as SQLite or
Memcached); or can be custom handler as defined by s
ession_set_save_handler(). The read callback will retrieve any existing
session data (stored in a special serialized format) and will be
unserialized and used to automatically populate the $_SESSION superglobal
when the read callback returns the saved session data back to PHP session
handling.
To use a named session, call session_name() before calling session_start().
When session.use_trans_sid is enabled, the session_start() function will
register an internal output handler for URL rewriting.
If a user uses ob_gzhandler or similar with ob_start(), the function order
is important for proper output. For example, ob_gzhandler must be
registered
before starting the session.
Parameters
options
If provided, this is an associative array of options that will override the
currently set session configuration directives. The keys should not
include the session. prefix.
In addition to the normal set of configuration directives, a
read_and_close option may also be provided. If set to true, this will
result
in the session being closed immediately after being read, thereby avoiding
unnecessary locking if the session data won't be changed.
Return Values
This function returns true if a session was successfully started, otherwise
false.
Changelog
| Version | Description
|
| 7.1.0 | Lsession_start() now returns false and no longer initializes
$_SESSION when it failed to start the session.
|
Examples
A basic session example
Example #1 page1.php
<?php
// page1.php
session_start();
echo 'Welcome to page #1';
$_SESSION['favcolor'] = 'green';
$_SESSION['animal'] = 'cat';
$_SESSION['time'] = time();
// Works if session cookie was accepted
echo '<br /><a href="page2.php">page 2</a>';
// Or maybe pass along the session id, if needed
echo '<br/><a href="page2.php?' . SID . '">page 2</a>';
?>
After viewing page1.php, the second page page2.php will magically contain
the session data. Read the session reference for information on propagating
session ids as it, for example, explains what the constant SID is all
about.
Example #2 page2.php
<?php
// page2.php
session_start();
echo 'Welcome to page #2<br/gt:';
echo $_SESSION['favcolor']; // green
echo $_SESSION['animal']; // cat
echo date('Y m d H:i:s', $_SESSION['time']);
// You may want to use SID here, like we did in page1.php
echo '<br/><a href="page1.php">page 1</a>';
?>
Providing options to session_start()
Example #3 Overriding the cookie lifetime
<?php
// This sends a persistent cookie that lasts a day.
session_start( [ 'cookie_lifetime' => 86400, ] );
?>
Example #4 Reading the session and closing it
<?php
// If we know we don't need to change anything in the
// session, we can just read and close rightaway to avoid
// locking the session file and blocking other pages
session_start([
'cookie_lifetime' => 86400,
'read_and_close' => true,
]);
Notes
Note:
To use cookie-based sessions, session_start() must be called before
outputting anything to the browser.
Note:
Use of zlib.output_compression is recommended instead of ob_gzhandler()
Note:
This function sends out several HTTP headers depending on the
configuration.
See session_cache_limiter() to customize these headers.
See Also
User Contributed Notes 40 notes
ohcc at 163 dot com 9 years ago
The constant SID would always be '' (an empty string) if directive
session.use_trans_sid in php ini file is set to 0.
So remember to set session.use_trans_sid to 1 and restart your server
before
you use SID in your php script.
linblow at hotmail dot fr 12 years ago
If you want to handle sessions with a class, I wrote this little class:
<?php
/*H*******************************************************
Use static method getInstance to get the object.
********************************************************/
class Session
{
const SESSION_STARTED = TRUE;
const SESSION_NOT_STARTED = FALSE;
// session state
private $sessionState = self::SESSION_NOT_STARTED;
private static $instance; // ONLY CLASS
INSTANCE
private function __construct() {}
/*********************************************************
* Returns 'Session' instance
* session is automatically initialized if it wasn't.
* @return object
*********************************************************/
public static function getInstance()
{
if( !isset(self::$instance))
{
self::$instance = new self;
}
self::$instance->startSession();
return( self::$instance );
}
/*********************************************************
* (Re)starts the session.
* @return bool TRUE if session has been initialized, else FALSE.
*********************************************************/
public function startSession()
{
if( $this->sessionState == self::SESSION_NOT_STARTED )
{
$this->sessionState = session_start();
}
return $this->sessionState;
}
/*********************************************************
* Stores datas in session.
* Example: $instance->foo = 'bar';
* @param name Name of the datas.
* @param value Your datas.
* @return void
*********************************************************/
public function __set( $name , $value )
{
$_SESSION[$name] = $value;
}
/*********************************************************
* Gets datas from session.
* Example: echo $instance->foo;
* @param name Name of the datas to get.
* @return mixed Datas stored in session.
*********************************************************/
public function __get( $name )
{
if( isset($_SESSION[$name]))
{
return $_SESSION[$name];
}
}
/*F*****************************************************
*
*******************************************************/
public function __isset( $name )
{
return isset($_SESSION[$name]);
}
/*F*****************************************************
*
*******************************************************/
public function __unset( $name )
{
unset( $_SESSION[$name] );
}
/*********************************************************
* Destroys current session.
* @return bool TRUE is session has been deleted, else FALSE.
*********************************************************/
public function destroy()
{
if( $this->sessionState == self::SESSION_STARTED )
{
$this->sessionState = !session_destroy();
unset( $_SESSION );
return !$this->sessionState;
}
return FALSE;
}
}
/*F*****************************************************
* Examples:
*******************************************************/
$data = Session::getInstance(); // get
INSTANCE
$data->nickname = 'Someone'; // STORE DATAS IN
SESSION
$data->age = 18;
printf( '<p>My name is %s and I\'m %d years old.</p>' // DISPLAY
DATAS
, $data->nickname , $data->age );
/*I*******************************************************
It will display:
Array
(
[nickname] => Someone
[age] => 18
)
********************************************************/
printf( '<pre>%s</pre>' , print_r( $_SESSION , TRUE ));
ar_dump( isset( $data->nickname )); //
TRUE
$data->destroy(); // DESTROY
SESSION
var_dump( isset( $data->nickname )); //
FALSE
?>
I prefer using this class instead of using directly the array $_SESSION.
bachtel at [googles email service]dotcom 6 years ago
If you are using a custom session handler via session_set_save_handler()
then calling session_start() in PHP 7.1 you might see an error like this:
session_start(): Failed to read session data: user (path:
/var/lib/php/session) in ...
As of this writing, it seems to be happening in PHP 7.1, and things look OK
in PHP7.0.
It is also hard to track down because if a session already exists for this
id (maybe created by an earlier version of PHP), it will not trigger this
issue because the $session_data will not be null.
The fix is simple... you just need to check for 'null' during your read
function:
<?php
function read( $id )
{
// ... PULL DATA OUT OF DB, OFF DISK, MEMCACHE, ETC
$session_data = getSessionDataFromSomewhere( $id );
// CHECK TO SEE IF $session_data IS NULL BEFORE RETURNING (CRITICAL)
if( is_null( $session_data ) )
{
$session_data = ''; //use empty string instead of null!
}
return $session_data;
}
?>
marco dot agnoli at me dot com 5 years ago
I recently made an interesting observation:
It seems that `session_start()` can return `true` even if the session was
not properly created. In my case, the disk storage was full and so the
session data could not be written to disk. I had some logic that resulted
in
an infinite loop when the session was not written to disk.
To check if the session really was saved to disk I used:
```
<?php
/*F**********************************************************************
*
************************************************************************/
function safe_session_start()
{
# Attempt to start a session
if( !@\session_start() )
return( false );
#
# Check if we need to perform
# the write test.
#
if( !isset($_SESSION['__validated']) )
{
$_SESSION['__validated'] = 1;
# ATTEMPT TO WRITE SESSION TO DISK
@\session_write_close();
# UNSET VARIABLE FROM MEMORY
# THIS STEP MAY BE UNNECESSARY
unset( $_SESSION['__validated'] );
# Re-start session
@\session_start();
# Check if variable value is retained
if( !isset( $_SESSION['__validated']) )
{
# SESSION WAS NOT WRITTEN TO DISK
return false;
}
}
return( true );
}
if( !safe_session_start() )
{
# SESSIONS ARE PROBABLY NOT WRITTEN TO DISK...
# HANDLE ERROR ACCORDINGLY
}
?>
Took me quite a while to figure this out.
Maybe it helps someone!
aaronw at catalyst dot net dot nz 8 years ago
As others have noted, PHP's session handler is blocking. When one of your
scripts calls session_start(), any other script that also calls
session_start() with the same session ID will sleep until the first script
closes the session.
A common workaround to this is call session_start() and
session_write_close() each time you want to update the session.
The problem with this, is that each time you call session_start(), PHP
prints a duplicate copy of the session cookie to the HTTP response header.
Do this enough times (as you might do in a long-running script), and the
response header can get so large that it causes web servers & browsers to crash
or reject your response as malformed.
This error has been reported to PHP HQ, but they've marked it "Won't fix"
because they say you're not supposed to open and close the session during a
single script like this. https://bugs.php.net/bug.php?id=31455
As a workaround, I've written a function that uses headers_list() and
header_remove() to clear out the duplicate cookies. It's interesting to note
that even on requests when PHP sends duplicate session cookies, headers_list()
still only lists one copy of the session cookie. Nonetheless, calling
header_remove() removes all the duplicate copies.
<?php
/*********************************************************
* Every time you call session_start(), PHP adds another
* identical session cookie to the response header. Do this
* enough times, and your response header becomes big enough
* to choke the web server.
*
* This method clears out the duplicate session cookies. You can
* call it after each time you've called session_start(), or call it
* just before you send your headers.
********************************************************/
function clear_duplicate_cookies()
{
// If headers have already been sent, there's nothing we can do
if( headers_sent() )
{
return;
}
$cookies = array();
foreach( headers_list() as $header)
{
if( strpos( $header, 'Set-Cookie:') === 0)
{ // Identify cookie headers
$cookies[] = $header;
}
}
// Removes all cookie headers, including duplicates
header_remove( 'Set-Cookie' );
foreach( array_unique( $cookies ) as $cookie)
{ // Restore one copy of each cookie
header( $cookie, false);
}
}
?>
emre@yazici 13 years ago
PHP Manual specifically denotes this common mistake:
Depending on the session handler, not all characters are allowed within the
session id. For example, the file session handler only allows characters in
the range a-z A-Z 0-9 , (comma) and - (minus)!
See session_id() manual page for more details.
dave1010 at gmail dot com 12 years ago
PHP locks the session file until it is closed. If you have 2 scripts using
the same session (i.e. from the same user) then the 2nd script will not
finish its call to session_start() until the first script finishes
execution.
If you have scripts that run for more than a second and users may be making
more than 1 request at a time then it is worth calling
session_write_close()
as soon as you've finished writing session data.
<?php
session_start(); // SESSION LOCK IN PLACE, SO OTHER SCRIPTS HAVE TO
WAIT
$_SESSION['a'] = 1; // DO ALL YOUR WRITING TO
$_SESSION
// $_SESSION can still be read, but writing will not update session
session_write_close(); // LOCK REMOVED, OTHER SCRIPTS CAN NOW READ SESSION
do_something_slow();
?>
Found this out from http://konrness.com/php5/how-to-prevent-blocking-php
-requests/
elitescripts2000 at yahoo dot com 9 years ago
3 easy but vital things about Sessions in AJAX Apps.
<?php
// SESSION START
// IT IS VERY IMPORTANT TO INCLUDE A PERIOD IF USING A WHOLE DOMAIN
// (.yourdomain.com)
// IT IS VERY IMPORTANT TO SET ROOT PATH YOUR SESSION WILL ALWAYS
// OPERATE IN... (/members) WILL ENSURE SESSIONS WILL NOT BE INTERFERED
// WITH A SESSION WITH A PATH OF SAY (/admin) ... SO YOU CAN LOG IN
// AS /admin AND AS /members... NEVER DO unset($_SESSION)
// $_SESSION=array(); IS PREFERRED, session_unset(); session_destroy();
session_set_cookie_params( 0, '/members', '.yourdomain.com', 0, 1 );
session_start();
$_SESSION = array();
session_unset();
session_destroy();
session_set_cookie_params(0, '/members', '.yourdomain.com', 0, 1);
session_start();
$_SESSION['whatever'] = 'youwhat';
// SESSION DESTROYING
// TO BE SAFE, CLEAR OUT YOUR $_SESSION ARRAY
// NEXT, WHAT MOST PEOPLE DO NOT DO IS DELETE SESSION COOKIE!
// IT IS EASY TO DELETE A COOKIE BY EXPIRING IT LONG BEFORE CURRENT
TIME.
// ONLY WAY TO DELETE A COOKIE, IS TO MAKE SURE ALL PARAMETERS MATCH
// COOKIE TO BE DELETED...WHICH IS EASY TO get THOSE PARAMS WITH
// session_get_cookie_params()...
// FINALLY, USE session_unset(); AND session_destroy(); IN THIS ORDER
// TO ENSURe Chrome, IE, Firefox AND OTHERS, ARE PROPERLY DESTROYING
// THE SESSION
$_SESSION = array();
if( ini_get( 'session.use_cookies') )
{
$p = session_get_cookie_params();
setcookie(session_name(), '', time() - 31536000, $p['path']
, $p['domain'], $p['secure'], $p['httponly']);
}
session_unset();
session_destroy();
// AJAX and SESSIONS.
// Example... YOU START A SESSION BASED PHP PAGE, WHICH THEN CALLS AN Ajax
// (XMLHTTP) AUTHENTICATED USING SAME SESSION TO POLL AND OUTPUT DATA, FOR
// EXAMPLE. BUT, NOTICE WHEN TRY TO START POLLING AJAX CALL ALWAYS HANGS
AND
// SEEMS TO HANG AT session_start(). THIS IS BECAUSE SESSION IS OPENED IN
FIRST
// PAGE, CALLS AJAX POLLING EXAMPLE, AND TRIES TO OPEN SAME SESSION (FOR
// AUTHENTICATION) AND DO AJAX CALL, YOU MUST CALL session_write_close();
// MEANING YOU ARE DONE WRITING TO $_SESSION VARIABLE, WHICH REALLY
REPRESENTS
// A FILE THAT MUST BE CLOSED WITH session_write_close();.... THEN YOU CAN
// CALL YOUR AJAX POLLING CODE TO REOPEN SAME SESSION AND DO ITS POLLING...
// NORMALLY, $_SESSION IS CLOSED AUTOMATICALLY WHEN SCRIPT IS CLOSED OR
// FINISHED EXECUTING SO, IF YOU NEED TO KEEP A PHP PAGE RUNNING AFTER
OPENING
// A SESSION, SIMPLY CLOSE IT WHEN FINISHED WRITING TO $_SESSION SO AJAX
// POLLING PAGE CAN AUTHENTICATE AND USE SAME SESSION IN A SEPERATE WEB
PAGE...
session_write_close();
?>
Hope this helps someone with their sessions...
Thanks.
someOne_01 at somewhere dot com 10 years ago
When you have an import script that takes long to execute, the browser seem
to lock up and you cannot access the website anymore. this is because a
request is reading and locking the session file to prevent corruption.
you can either
- use a different session handler with session_set_save_handler()
- use session_write_close() in the import script as soon you don't need
session
anymore (best moment is just before the long during part takes place), you
can
session_start when ever you want and as many times you like if your import
script requires session variables changed.
example
<?php
session_start(); // INITIATE / OPEN SESSION
$_SESSION['count'] = 0; // STORE SOMETHING IN SESSION
session_write_close(); // NOW CLOSE IT
# FROM HERE EVERY OTHER SCRIPT CAN BE RUN (AND MAKES IT SEEM LIKE
MULTITASKING)
for( $i =0; $i <= 100; $i++ )
{ // DO 100 CYCLES
session_start(); // OPEN SESSION AGAIN FOR EDITING A VARIABLE
$_SESSION['count'] += 1; // CHANGE VARIABLE
session_write_close(); // NOW CLOSE SESSION AGAIN!
sleep(2); // EVERY CYCLE SLEEP TWO SECONDS, OR DO A HEAVY TASK
}
?>
axew3 at axew3 dot com 5 years ago
X Maintainers ... Sorry to be such pain the ass, please delete this
duplicate,
because submitted in a crazy 'session' where i've mess things between
browser
tabs ... sorry again, alessio
http://php.net/manual/en/function.session-start.php#121310
Anonymous 2 years ago
Be careful with 'read_and_close' option. It doesn't update session file's
last
modification time unlike the default PHP behaviour when you don't close the
session (or when you use session_write_close explicitly). Old session
files
(for me, older than 24 minutes) will be occasionally cleared by the garbage
collector (for me every 09 and 39 minute of every hour). So a session can
disappear even if the page regularly sends requests to the server that only
reads and closes the session.
jamestrowbridge at gmail dot com 13 years ago
Unfortunately, after pulling my hair out trying to figure out why my
application
was working fine in every browser other than IE ( Internet Explorer)
(Opera,
Chrome, Firefox, Safari are what I've tested this in) - when using a DNS
Cname
record (like a vanity name that is different from the DNS A record, which
is
the hostname of the server) sessions do not work correctly.
If you store a session var while on the Cname:
vanity.example.com and the hostname of the server is hosname.example.com
Then try to call the variable from a different page, it will not find it
because of the Cname (I guess it store the variable under the hostname,
then
when trying to read it it's still looking under the Cname) the same
application
works fine when accessing it under the hostname directly. Keep in mind
that
I
was testing this on an internal network.
ben dot morin at spaboom dot com 16 years ago
James at skinsupport dot com raises a good point (warning) about additional
requests from the browser. The request for favicon.ico, depending on how
it
is
handled, can have unintended results on your sessions.
For example, suppose you have ErrorDocument 404 /signin.php, no favicon.ico
file and all pages in your site where the user signs in are also redirected
to
/signin.php if they're not already signed in.
If signin.php does any clean up or reassigning of session_id (as all good
signin.php pages should) then the additional request from the browser for
favicon.ico could potentially corrupt the session as set by the actual
request.
Kudos to James for pointing it out and shame on me for skimming past it and
not
seeing how it applied to my problem. Thanks too to the Firefox Live HTTP
Headers extension for showing the additional request.
Don't waste days or even hours on this if your session cookies are not
being
sent or if the session data isn't what you expect it to be. At a minimum,
eliminate this case and see if any additional requests could be at fault.
James 16 years ago
To avoid the notice commited by PHP since 4.3.3 when you start a session
twice, check session_id() first:
if( session_id() == "")
session_start();
hu60 dot cn at gmail dot com 3 years ago
The following code shows how the PHP session works. The function
my_session_start() does almost the same thing as session_start().
<?php
error_reporting( E_ALL );
ini_set( 'display_errors', true );
ini_set( 'session.save_path', __DIR__ );
my_session_start();
echo '<p>session id: '.my_session_id().'</p>';
echo '<code><pre>';
var_dump($_SESSION);
echo '</pre></code>';
$now = date('H:i:s');
if( isset( $_SESSION['last_visit_time']) )
{
echo '<p>Last Visit Time: '.$_SESSION['last_visit_time'].'</p>';
}
echo '<p>Current Time: '.$now.'</p>';
$_SESSION['last_visit_time'] = $now;
/*F**********************************************************************
*
************************************************************************/
function my_session_start()
{
global $phpsessid, $sessfile;
if( !isset($_COOKIE['PHPSESSID']) || empty($_COOKIE['PHPSESSID']) )
{
$phpsessid = my_base32_encode(my_random_bytes(16));
setcookie( 'PHPSESSID', $phpsessid, ini_get(
'session.cookie_lifetime')
, ini_get( 'session.cookie_path'), ini_g
et('session.cookie_domain')
, ini_get('session.cookie_secure')
, ini_get('session.cookie_httponly'));
} else
{
$phpsessid = substr( preg_replace( '/[^a-z0-9]/', ''
, $_COOKIE['PHPSESSID']), 0, 26 );
}
$sessfile = ini_get( 'session.save_path').'/sess_'.$phpsessid;
if( is_file( $sessfile ) )
{
$_SESSION = unserialize(file_get_contents($sessfile));
}
else
{
$_SESSION = array();
}
register_shutdown_function( 'my_session_save' );
}
/*F**********************************************************************
*
************************************************************************/
function my_session_save()
{
global $sessfile;
file_put_contents( $sessfile, serialize( $_SESSION ) );
}
/*F******************************************************
*
********************************************************/
function my_session_id()
{
global $phpsessid;
return $phpsessid;
}
/*F**********************************************************************
*
************************************************************************/
function my_random_bytes( $length )
{
if( function_exists( 'random_bytes'))
{
return random_bytes( $length );
}
$randomString = '';
for ($i = 0; $i < $length; $i++)
{
$randomString .= chr( rand( 0, 255));
}
return( $randomString );
}
/*F**********************************************************************
*
************************************************************************/
function my_base32_encode($input)
{
$BASE32_ALPHABET = 'abcdefghijklmnopqrstuvwxyz234567';
$output = '';
$v = 0;
$vbits = 0;
for( $i = 0, $j = strlen( $input); $i < $j; $i++)
{
$v <<= 8;
$v += ord( $input[$i] );
$vbits += 8;
while( $vbits >= 5)
{
$vbits -= 5;
$output .= $BASE32_ALPHABET[$v >> $vbits];
$v &= ((1 << $vbits) - 1);
}
}
if( $vbits > 0)
{
$v <<= (5 - $vbits);
$output .= $BASE32_ALPHABET[$v];
}
return $output;
}
schlang 13 years ago
if you store your sessions in a database, always ensure that the type of
the
database column is large enough for your session values
jorrizza at gmail dot com 18 years ago
If you open a popup window (please no commercial ones!) with javascript
window.open it might happen IE blocks the session cookie.
A simple fix for that is opening the new window with the session ID in a
get
value. Note I don't use SID for this, because it will not allways be
available.
----page.php----
//you must have a session active here
window.open('popup.php?sid=<?php echo session_id(); ?>', '700x500'
, 'toolbar=no, status=no, scrollbars=yes, location=no, menubar=no
, directories=no, width=700, height=500');
----popup.php----
<?php
session_id( strip_tags($_get['sid']));
session_start();
//and go on with your session vars
?>
andy_isherwood at hotmail dot com ¶ 14 years ago
A session created with session_start will only be available to pages within
the directory tree of the page that first created it.
i.e. If the page that first creates the session is /dir1/dir2/index.php and
the user then goes to any page above dir2 (e.g. /dir1/index.php),
session_start will create a new session rather than use the existing one.
polygon dot co dot in at gmail dot com 1 year ago
Websites are prone to Session Attack where its proper usage is not done.
There are tools like "Apache Benchmark" (ab) and many others which can hit
the website with load for load / performance testing.
Code below starts the session for every request.
<?php
session_start();
$username = $_post['username'];
$password = $_post['password'];
if( isValidUser( $username, $password))
{
Suserdetails = getUserDetails($username);
$_SESSION['user_id'] = Suserdetails['user_id'];
$_SESSION['username'] = Suserdetails['username'];
$_SESSION['firstname'] = Suserdetails['firstname'];
header( 'Location: dashboard.php');
}?>
This generates session file for every request irrespective of PHPSESSID
cookie value when I use tools like ab, there by creating inode issue.
One should start the session after properly authenticating.
<?php
$username = $_post['username'];
$password = $_post['password'];
if( isValidUser($username, $password))
{
Suserdetails = getUserDetails( $username );
session_start();
$_SESSION['user_id'] = Suserdetails['user_id'];
$_SESSION['username'] = Suserdetails['username'];
$_SESSION['firstname'] = Suserdetails['firstname'];
header( 'Location: dashboard.php');
}
?>
Scripts other then login first validates session which requires session.
<?php
if(session_status()!=PHP_SESSION_NONE) header('Location: login.php');
session_start();
if(!isset($_SESSION['user_id'])) header('Location: login.php');
code logic below....
}
?>
This example is for file based session.
For other modes of session check function session_set_save_handler.
axew3 at axew3 dot com 5 years ago
I need, with easy, count how many times the page reload over the site, may
to add a warning popup, while the counter is 0 ...
session_start();
if( isset($_SESSION['count']))
{
$count = $_SESSION['count'];
$count++;
$count = $_SESSION['count'] = $count;
}
else
{
$count = $_SESSION['count'] = 0;
}
echo $count;
//session_destroy();
bwz 3 months ago
Be warned of another issue with blocking sessions: if you want to call an
external program (or use an external service) that needs to access your
website using the same session.
For example I am printing a page as a PDF. I can just save the web page as
a
html file. But the images in the html are also private and require the
current user session to be seen.
What will happen is that this program might hang indefinitely (or timeout)
as session_start waits for the parent PHP process to release the lock. And
session_start doesn't obey max_execution_time (as documented in this bug:
https://bugs.php.net/bug.php?id=72345 ), so this will effectively kill the
server after a few requests, as each one will be hanging forever
It's the same if you use an external HTTP service:
<?php
$pdf = file_get_contents('http://pdf.website.tld/?ur
l=http://website.tld/print.php');
?>
The service will wait for the website host to release the lock, but it
can't
as it is waiting for the PDF service to finish...
The nice solution is to release the lock immediately by calling
session_write_close after session_start, and when you need to write to the
session you do the same again, but as noted it has its own issues. Using a
custom session handler is probably the best solution.
chris at ocproducts dot com 6 years ago
Initiating a session may overwrite your own custom cache control header,
which may break clicking back to get back to a prior post request (on
Chrome
at least).
On my system it was setting 'no-store', which is much more severe than 'no
-cache' and what was breaking the back-button.
If you are controlling your own cache headers carefully you need to call:
session_cache_limiter('');
...to stop it changing your cache control headers.
fabmlk at hotmail dot com 7 years ago
If you ever need to open multiple distinct sessions in the same script and
still let PHP generate session ids for you, here is a simple function I
came
up with (PHP default session handler is assumed):
<?php
/*********************************************************
* Switch to or transparently create session with name $name.
* It can easily be expanded to manage different sessions lifetime.
********************************************************/
function session_switch($name = "PHPSESSID")
{
static $created_sessions = array();
if( session_id() != '')
{ // if a session is currently opened, close it
session_write_close();
}
session_name( $name );
if( isset($_COOKIE[$name]))
{ // IF SPECIFIC SESSION EXISTS, MERGE WITH $created_sessions
$created_sessions[ $name ] = $_COOKIE[ $name ];
}
if( isset($created_sessions[ $name ]))
{ // IF EXISTING SESSION, IMPERSONATE IT
session_id($created_sessions[$name] );
session_start();
}
else
{ // create new session
session_start();
$_SESSION = array(); // EMPTY CONTENT BEFORE DUPLICATING SESSION
FILE
// DUPLICATE LAST SESSION FILE WITH NEW ID AND
current $_SESSION content
// IF THIS IS THE FIRST CREATED SESSION, THERE IS NOTHING TO DUPLICATE
// FROM AND PASSING TRUE AS ARGUMENT WILL TAKE CARE Of "CREATING" ONLY
// ONE SESSION FILE
session_regenerate_id( empty( $created_sessions ) );
$created_sessions[$name] = session_id();
}
}
session_switch("SESSION1");
$_SESSION["key"] = "value1"; // specific to session 1
session_switch("SESSION2");
$_SESSION["key"] = "value2"; // specific to session 2
session_switch("SESSION1");
// back to session 1
// ...
?>
When using this function, session_start() should not be called on its own
anymore (can be replaced with a call to session_switch() without argument).
Also remember that session_start() sets a Set-Cookie HTTP header on each
call, so if you echo in-between sessions, wrap with ouput buffering.
Note: it's probably rarely a good idea to handle multiple sessions so think
again if you think you have a good use for it.
Personally it played its role for some quick patching of legacy code I had
to maintain.
ilnomedellaccount at gmail dot com 9 years ago
A note about session_start(), custom handlers and database foreign key
constraints, which I think may be of some use...
We know that if we want our sessions into a database table (rather than the
default storage), we can refer to session_set_save_handler(...) to get them
there. Note that session_set_save_handler must (obviously) be called before
session_start(), but let me get to the point...
Upon calling session_start() the "first time", when the session does not
already exist, php will spawn a new session but will not call the write
handler until script execution finishes.
Thus, the session at this point exists in the server process memory, but
won't be visible as a row in the DB before the script ends.
This seems reasonable, because this avoids some unnecessary database access
and resource usage before we even populate our session with meaningfull and
definitive data, but this also has side-effects.
In my case, the script called session_start() to make sure a session was
initiated, then used session_id() to populate another table in the DB,
which
had foreign_key constraint to the "sessions" table. This failed because no
session was in the db at that point, yet!
I know I could simply force the creation of the row in the DB by manually
calling the write handler after session_start(), when necessary, but I am
not sure if this is the best possible approach.
As soon as I find an "elegant" solution, or a completely different
approach,
I will post some working sample code.
In the meanwhile... have fun!
info at nospam dot mmfilm dot sk 13 years ago
For those of you running in problems with utf-8 encoded files:
I was getting an error because of the BOM, although i set Dreamweaver to
"save as" the without the BOM. It appears that DW will not change this
setting in already existing files. After creating a new file withou the
BOM,
everything worked well.
I also recommend http://people.w3.org/rishida/utils/bomtester/index.php - a
utility that remote checks for the presence of BOM.
Charlie at NOSPAM dot example dot com 13 years ago
Be warned that depending on end of script to close the session will
effectively serialize concurrent session requests. Concurrent background
"data retrieval" (e.g. applications such as AJAX or amfphp/Flex) expecting
to retrieve data in parallel can fall into this trap easily.
Holding the session_write_close until after an expensive operation is
likewise problematic.
To minimize effects, call session_write_close (aka session_commit) as early
as practical (e.g. without introducing race conditions) or otherwise avoid
the serialization bottleneck.
tom at bitworks dot de 5 years ago
A simple session_start() will not be sufficiant to kepp you Session alive.
Due to the filesystems mounting parameters, atime will normally not be
updated. Instead of atime, mtime will be delivered.
This behavior may cause an early session death and your users my be kicked
of your login system.
To keep the session alive it will be necessary to write something into the
sessionfile at each request, e. g. a simple
"$_SESSION['time'] = time();"
That would keep your session alive, even if the client in reality is only
clicking around the site.
axew3 at axew3 dot com 5 years ago
I just need with easy, count how many times the page reload over the site,
may to add a warning popup, while the counter is 0:
session_start();
if( isset( $_SESSION[ 'count' ] ) )
{
$count = $_SESSION['count'];
$count++;
$count = $_SESSION['count'] = $count;
}
else
{
$count = $_SESSION['count'] = 0;
}
echo $count;
//session_destroy();
sanjuro at 1up-games dot com 11 years ago
The problem with SID is that if on occasions you don't start a session,
instead of outputting an empty string for transparent integration it will
return the regular undefined constant notice. So you might want to test the
constant with defined() beforehand.
info.at.merchandisinginteractive.sk 13 years ago
A handy script that checks fot the presence of uft-8 byte order mark (BOM)
in all files in all directories starting on current dir. Combined from the
work of other people here...
<?php
/*F**********************************************************************
*
************************************************************************/
function fopen_utf8 ($filename)
{
$file = @fopen($filename, "r");
$bom = fread($file, 3);
if( $bom != b"\xEF\xBB\xBF")
{
return false;
}
else
{
return true;
}
}
/*F**********************************************************************
*
************************************************************************/
function file_array($path, $exclude = ".|..|design", $recursive = true)
{
$path = rtrim($path, "/") . "/";
$folder_handle = opendir($path);
$exclude_array = explode("|", $exclude);
$result = array();
while( false !== ($filename = readdir($folder_handle)))
{
if( !in_array(strtolower($filename), $exclude_array))
{
if( is_dir( $path . $filename . "/"))
{ // Need to include full "path" or it's an infinite loop
if( $recursive)
$result[] = file_array($path . $filename . "/",
$exclude
, true);
}
else
{
if( fopen_utf8($path . $filename) )
{
//$result[] = $filename;
echo ($path . $filename . "<br>");
}
}
}
}
return( $result );
}
$files = file_array(".");
?>
m dot kuiphuis at hccnet dot nl 19 years ago
[Editors Note: For more information about this
http://www.zvon.org/tmRFC/RFC882/Output/chapter5.html ]
I use name-based virtual hosting on Linux with Apache and PHP 4.3.2.
Every time when I refreshed (by pressing F5 in Internet Explorer) I noticed
that I got a new session_id. Simultaneously browsing the same site with
Netscape didn't give me that problem. First I thought this was some PHP
issue (before I tested it with Netscape), but after searching a lot on the
internet I found the problem.
Since I was using name based virtual hosting for my testserver and we have
different webshops for different customers I used the syntax
webshop_customername.servername.nl as the domain-name.
The _ in the domain name seemed to be the problem. Internet Explorer just
denies setting the cookie on the client when there is a special character
(like an _ ) in the domain name. For more information regarding this issue:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;316112
Stupidly enough, this information was related to asp (yuk :o)
anon at ymous dot com 12 years ago
I am trying to get a session created by a browser call to be used by a
command line cli->curl php call (in this case, both calls to the same
server
and php.ini), for a set of flexible media import routines,
but the cli->curl call always starts a new session despite me putting
PHPSESSID=validID as the first parameter for the url called by curl.
I was able to fix it by calling session_id($_get['PHPSESSID']) before
calling session_start() in the script called via curl.
dstuff at brainsware dot org 13 years ago
It seems like spaces in the name don't work either - got a new session id
generated each time
leandroico---at---gmail---dot---com 16 years ago
TAGS: session_start headers output errors include_once require_once php tag
new line
Errors with output headers related to *session_start()* being called inside
include files.
If you are starting your session inside an include file you must be aware
of
the presence of undesired characters after php end tag.
Let's take an example:
> page.php
<?php
include_once 'i_have_php_end_tag.inc.php';
include_once 'init_session.inc.php';
echo "Damn! Why I'm having these output header errors?";
?>
> i_have_php_end_tag.inc.php
<?php
$_JUST_A_GLOBAL_VAR = 'Yes, a global var, indeed';
?>
> init_session.inc.php
<?php
session_start();
$_SESSION['blabla'] = 123;
?>
With all this stuff we will get an error, something like:
"... Cannot send session cache limiter - headers already sent (output
started at ...", right?
To solve this problem we have to ignore all output sent by include files.
To
ensure that we need to use the couple of functions: *ob_start()* and
*ob_end_clean()* to suppress the output. So, all we have to do is changing
the *page.php* to this:
<?php
ob_start();
include_once 'i_have_php_end_tag.inc.php';
include_once 'init_session.inc.php';
ob_end_clean();
echo "Woo hoo! All right! Die you undesired outputs!!!";
?>
jphansen at uga dot edu 15 years ago
I just wrote that session_start() will erase your querystring variable(s)
once called. I want to clarify that it will only do this if a variable by
the same subscript is defined in $_SESSION[].
erm[at]the[dash]erm[dot]com 17 years ago
If you are insane like me, and want to start a session from the cli so
other
scripts can access the same information.
I don't know how reliable this is. The most obvious use I can see is
setting pids.
// temp.php
#!/usr/bin/php -q
<g?php
session_id ("temp");
session_start();
if( $_SESSION )
{
print_r( $_SESSION);
}
$_SESSION['test'] = "this is a test if sessions are usable inside scripts";
?>
// Temp 2
#!/usr/bin/php -q
<g?php
session_id ("temp");
session_start();
print_r ($_SESSION);
?>
james at skinsupport dot com 17 years ago
One thing of note that caused me three days of trouble:
It's important to note that Firefox (for one) makes two calls to the server
automatically. One for the page, and one for favicon.ico.
If you are setting session variables (as I was) to certain values when a
page exists, and other values when pages don't exist, the values for non
-existent pages will overwrite the values for existing pages if favicon.ico
doesn't exist.
I doubt many of you are doing this, but if you are, this is a consideration
you need to address or you'll be bald over the course of a three day
period!
ivijan dot stefan at gmail dot com 6 years ago
How to fix session_start error?
Sometimes when you made plugins, addons or some components in projects you
need to check if session is started and if is not, you need to start it
with
no session_start() errors.
Here is my tested solution what currently work on +9000 domains and in one
my plugin but also in some custom works.
<?php
if( strnatcmp( phpversion(),'5.4.0') gt;= 0 )
{
if( session_status() == PHP_SESSION_NONE)
{
session_start();
}
}
else
{
if( session_id() == '')
{
session_start();
}
}
?>
Feel free to use it and don't worry, be happy. ;)
hbertini at sapo dot pt 18 years ago
workaround when using session variables in a .php file referred by a frame
(.html, or other file type) at a different server than the one serving the
.php:
Under these conditions IE6 or later silently refuses the session cookie
that
is attempted to create (either implicitly or explicitly by invoquing
session_start()).
As a consequence, your session variable will return an empty value.
According to MS kb, the workaround is to add a header that says your remote
.php page will not abuse from the fact that permission has been granted.
Place this header on the .php file that will create/update the session
variables you want:
<?php header('P3P: CP="CAO PSA OUR"'); ?>
Regards,
Hugo
Nathan 4 years ago
Btw you can use:
if( !isset($_SESSION) )
{
// We love every user
session_start();
// Then refresh for changes to take affect
header( "location: ../../");
}
elseif( $_SESSION["user] == "123ABC - abcmouse.com")
{
// DON'T LIKE THIS USER, SO LET'S KICK THEM OUT OF SESSION
session_destroy();
// Then refresh for changes to take affect
header("location: ../../");
}